Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
ghinstallation returns app JWT in error responses
Vulnerability Description
ghinstallation provides transport, which implements http.RoundTripper to provide authentication as an installation for GitHub Apps. In ghinstallation version 1, when the request to refresh an installation token failed, the HTTP request and response would be returned for debugging. The request contained the bearer JWT for the App, and was returned back to clients. This token is short lived (10 minute maximum). This issue has been patched and is available in version 2.0.0.
CVSS Information
CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:N/A:L
Vulnerability Type
通过错误消息导致的信息暴露
Vulnerability Title
ghinstallation 安全漏洞
Vulnerability Description
ghinstallation是Bradley Falzon个人开发者的一个库。作为安装工作流进行身份验证。 ghinstallation 2.0.0之前版本存在安全漏洞,该漏洞源于当刷新安装令牌的请求失败时,将返回HTTP请求和响应以供调试,该请求包含应用程序的承载JWT并返回给客户端,这个令牌的寿命很短。
CVSS Information
N/A
Vulnerability Type
N/A